Mozilla Foundation Security Advisory 2008-65

Cross-domain data theft via script redirect error message

Announced

December 16, 2008

Reporter

Chris Evans

Impact

High

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 2.0.0.19

Firefox 2.0.0.20

Firefox 3.0.5

SeaMonkey 1.1.14

Thunderbird 2.0.0.19

Description

Google security researcher Chris Evans reported that a
website could access a limited amount of data from a different domain by
loading a same-domain JavaScript URL which redirects to an off-domain
target resource containing data
which is not parsable as JavaScript. Upon attempting to load the data as
JavaScript a syntax error is generated that can reveal some of the file
context via the window.onerror DOM API.

This issue could be used by a malicious website to steal private data
from users who are authenticated on the redirected website. How much
data could be at risk would depend on the format of the data and how
the JavaScript parser attempts to interpret it. For most files the
amount of data that can be recovered would be limited to the first
word or two. Some data files might allow deeper probing with
repeated loads.

Thunderbird shares the browser engine with Firefox and
could be vulnerable if JavaScript were to be enabled in mail. This is
not the default setting and we strongly discourage users from running
JavaScript in mail.

Update December 18, 2008: The Windows version of Firefox
2.0.0.19 was shipped without the fix for this issue (other platforms
were correctly patched). Firefox 2.0.0.20 has been released on Windows
to correct this oversight.

Workaround

Disable JavaScript until a version containing these fixes can be
installed.